The Bounced Message
From: Mail Delivery Subsystem
Date: Tue Mar 26, 2002 05:05:44 AM US/Eastern
To:
Subject: Returned mail: User unknown
The original message was received at Tue, 26 Mar 2002 05:05:33 -0500 (EST)
from mail.city-net.com [198.144.32.6]
*** ATTENTION ***
Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".
The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".
The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.
Please direct further questions regarding this message to your e-mail
administrator.
--AOL Postmaster
----- The following addresses had permanent fatal errors -----
----- Transcript of session follows -----
... while talking to air-yb05.mail.aol.com.:
RCPT To:
<<< 550 MAILBOX NOT FOUND
550 ... User unknown
RCPT To:
<<< 550 MAILBOX NOT FOUND
550 ... User unknown
RCPT To:
<<< 550 MAILBOX NOT FOUND
550 ... User unknown
Reporting-MTA: dns; rly-yb01.mx.aol.com
Arrival-Date: Tue, 26 Mar 2002 05:05:33 -0500 (EST)
Final-Recipient: RFC822; hwdballa69@aol.com
Action: failed
Status: 2.0.0
Remote-MTA: DNS; air-yb05.mail.aol.com
Diagnostic-Code: SMTP; 250 OK
Last-Attempt-Date: Tue, 26 Mar 2002 05:05:44 -0500 (EST)
Final-Recipient: RFC822; kath61486@aol.com
Action: failed
Status: 2.0.0
Remote-MTA: DNS; air-yb05.mail.aol.com
Diagnostic-Code: SMTP; 250 OK
Last-Attempt-Date: Tue, 26 Mar 2002 05:05:44 -0500 (EST)
Final-Recipient: RFC822; lilswtbirdy@aol.com
Action: failed
Status: 2.0.0
Remote-MTA: DNS; air-yb05.mail.aol.com
Diagnostic-Code: SMTP; 250 OK
Last-Attempt-Date: Tue, 26 Mar 2002 05:05:44 -0500 (EST)
From: jane85@ax-x.com ()
Date: Tue Mar 26, 2002 05:03:50 AM US/Eastern To: hwdballa69@aol.com,
dancerqueen42@aol.com, prettybritty3000@aol.com, dktwister@aol.com,
lilswtbirdy@aol.com, lucky13346@aol.com, sweetcherries4@aol.com,
psychochica65@aol.com, westlifesweetie@aol.com, kath61486@aol.com
Subject: Live Sex Shows (NO CREDIT CARD NEEDED)
Below is the result of your feedback form. It was submitted by
(jane85@ax-x.com) on Tuesday, March 26, 2002 at 05:03:50
---------------------------------------------------------------------------
: You are part of a select group of people who have won access to live
sex shows and our archive of over 500 other videos (consisting of
hardcore, asian, and more). All you have to do is download our client
by clicking here and follow the instructions. Enjoy!!!
---------------------------------------------------------------------------
Find the message: kath61486
One the mail server, I execute the following:
goku 15# grep kath61486 /var/adm/SYSLOG
Mar 26 05:08:35 6C:goku sendmail[2163501]: g2QA8WQJ2222434: to=,
,,,,
,,,,
, delay=00:00:02, xdelay=00:00:01, mailer=esmtp,
pri=391198, relay=mailin-01.mx.aol.com. [205.188.156.122], dsn=2.0.0, stat=Sent (OK)
Then I search for the message id:
goku 16# grep g2QA8WQJ2222434 /var/adm/SYSLOG
Mar 26 05:08:34 6C:goku sendmail[2222434]: g2QA8WQJ2222434: from=,
size=627, class=0, nrcpts=10, msgid=<200203261003.FAA29383@speed.city-net.com>, proto=ESMTP,
daemon=MTA, relay=speed.city-net.com [206.151.184.7]
Mar 26 05:08:35 6C:goku sendmail[2163501]: g2QA8WQJ2222434: to=,
,,,,
,,,,
, delay=00:00:02, xdelay=00:00:01, mailer=esmtp, pri=391198,
relay=mailin-01.mx.aol.com. [205.188.156.122], dsn=2.0.0, stat=Sent (OK)
One I note that the message is from "root@speed.city-net.com", I'm officially "tense." Going to
speed, I do the same lookups:
speed 6# grep kath61486 /var/adm/SYSLOG
Mar 26 05:03:53 6C:speed sendmail[28246]: FAA29383: to=hwdballa69@aol.com,dancerqueen42@aol.com,
prettybritty3000@aol.com,dktwister@aol.com,lilswtbirdy@aol.com,lucky13346@aol.com,
sweetcherries4@aol.com,psychochica65@aol.com,westlifesweetie@aol.com,kath61486@aol.com,
ctladdr=root (0/0), delay=00:00:03, xdelay=00:00:03, mailer=relay,
relay=mail.city-net.com. [198.144.32.6], stat=Sent (2.0.0 g2QA8WQJ2222434 Message
accepted for delivery)
speed 7# grep FAA29383 /var/adm/SYSLOG
Mar 26 05:03:50 6C:speed sendmail[29383]: FAA29383: from=root, size=915, class=0, pri=300915,
nrcpts=10, msgid=<200203261003.FAA29383@speed.city-net.com>, relay=root@localhost
Mar 26 05:03:53 6C:speed sendmail[28246]: FAA29383: to=hwdballa69@aol.com,dancerqueen42@aol.com,
prettybritty3000@aol.com,dktwister@aol.com,lilswtbirdy@aol.com,lucky13346@aol.com,
sweetcherries4@aol.com,psychochica65@aol.com,westlifesweetie@aol.com,kath61486@aol.com,
ctladdr=root (0/0), delay=00:00:03, xdelay=00:00:03, mailer=relay,
relay=mail.city-net.com. [198.144.32.6], stat=Sent (2.0.0 g2QA8WQJ2222434
Message accepted for delivery)
Now I am officially worried. The message is being sent by "root". This is really bad. It
makes it hard to trace the problem and leads me to believe I may be hacked. I know I'm sending
spam, and I assume it is via a known issue with FormMail.pl, an old cgi-bin program used on
may web server. But I don't have a userid, just root. Nothing is run as root dealing with web
services.
So I turn on process accounting and take a look. Here is part of what I see:
#sendmail root ? 08:23:06 08:23:06 0.04 0.01 80.00
#sendmail root ? 08:23:06 08:23:06 0.36 0.13 47.38
#FormMail root ? 08:23:06 08:23:06 0.46 0.07 2728.57
#sendmail root ? 08:21:49 08:23:06 77.29 0.04 0.00
#sendmail root ? 08:23:06 08:23:06 0.47 0.06 44.67
Count.cg web ? 08:23:15 08:23:15 0.42 0.03 6324.00
#sendmail root ? 08:23:15 08:23:15 0.04 0.01 0.00
#sendmail root ? 08:23:15 08:23:15 0.38 0.14 87.71
#FormMail root ? 08:23:15 08:23:15 0.51 0.07 2729.71
#sendmail root ? 08:23:15 08:23:16 1.19 0.06 483.33
#ncftpd root ? 20:23:18 08:23:30 43212.80 0.39 92.92
#sendmail root ? 08:23:28 08:23:28 0.44 0.02 764.00
#sendmail root ? 08:22:58 08:23:28 30.72 0.04 276.00
#sendmail root ? 08:23:29 08:23:29 0.26 0.04 288.00
search.c bbodweb ? 08:23:32 08:23:32 0.68 0.46 941.91
specials bbodweb ? 08:23:36 08:23:36 0.20 0.16 1280.50
#sendmail root ? 08:23:38 08:23:38 0.44 0.02 384.00
#sendmail root ? 08:23:08 08:23:38 30.73 0.04 182.00
#sendmail root ? 08:23:39 08:23:39 0.44 0.04 288.00
#sendmail root ? 08:23:48 08:23:48 0.03 0.01 80.00
#sendmail root ? 08:23:48 08:23:48 0.34 0.13 50.15
#FormMail root ? 08:23:48 08:23:48 0.43 0.07 1433.14
#sendmail root ? 08:23:48 08:23:49 1.12 0.06 63.33
#sendmail root ? 08:23:56 08:23:56 0.03 0.01 80.00
#sendmail root ? 08:23:55 08:23:55 0.34 0.13 45.23
#FormMail root ? 08:23:55 08:23:55 0.42 0.07 2845.71
Notice the pattern of FormMail and multiple Sendmail executions. At this point it looks like
the hack on formmail. I'm a bit relieved. But now to find the FormMail that is executing as
"root", that is a real no-no. I take a look at the logfile for our main web server. It is set
up to allow the execution of cgi-bin programs as the "owner" of the file. This is what lets each
of our customer execute code that only can effect their own directory.
Here is what I find:
168.10.32.10 - - [26/Mar/2002:08:33:59 -0500] "GET /~YYZ/FormMail.pl?recipient=cix417@aol.com,
zwmz@aol.com,gwargirl52@aol.com,
jvks@aol.com,n7215r@aol.com,anjelraver@aol.com,joey1271@aol.com,btfsmash@a
ol.com,btf82@aol.com,sportzqt11@aol.com&subject=Live%20Sex%20Shows%20
(NO%20CREDIT%20CARD%20NEEDED)&email=jane85@ax-
x.com&=You%20are%20part%20of%20a%20select%20group%20of%20people%20who%
20have%20won%20access%20to%20live%20sex%20shows%20and%20our%20archive%
20of%20over%20500%20other%20videos%20(
consisting%20of%20hardcore,%20asian,%20and%20more).%20%20All%20you%
20have%20to%20do%20is%20download%20our%20client%20by%20clicking%20<
a%20href%3D%22http://rd.yahoo.com/health/websites/*http://www.freewebz.com/
atoj52/ls/%22>here%20and%20follow%20the%20instructions.%20%20Enjoy!!! HTTP/1.0" 200 670
Many lines of this. I've found my FormMail.pl. I go to the directory for the user "YYZ" and notice
that FormMail.pl is owned by "root"! Whoops City! One of our people must have copied a version
of this over as root, not understanding what the implications were. At least we don't have a
compromise. I "chown" the script to the user.
I also "fix" formmail so that it won't permit this to happen again:
if ($ENV{'HTTP_REFERER'}) {
foreach $referer (@referers) {
if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
$check_referer = 1;
last;
}
}
}
else {
$check_referer = 0;
}
Now I start writing some admins. Each of the IP addresses that were relaying spam through our
site via the FormMail.pl script is probably a compromised system. This process involves finding
the owner of each IP (which I get from my web server log) and emailing those people. I like to
make sure that people that spam or hack around always pay a larger price for messing with us
than its worth. So by making these other machines "unavailable" for them to use on other ISPs
I feel I am doing this.
|